Jump to content


Photo

Safe Handling of User Submitted Variables


  • Please log in to reply
6 replies to this topic

#1 Jessica

Jessica
  • Staff Alumni
  • This is not my name.
  • 8,982 posts
  • LocationDallas, TX
  • Age:26

Posted 08 March 2006 - 08:00 PM

Hi :) Right now I have a few functions I am using for when a user submits info, which strip out anything that could be dangerous. Is there anything else I need to add, or do they look okay as is?

Here are two of them:

function safe_POST($item){
    $item = mysql_real_escape_string(strip_tags($_POST[$item]));
    return $item;
}

function safe_int_GET($item){
    $item = intval($_GET[$item]);
    return $item;
}

My goal in replying to posts is to help you become a better programmer, including learning how to debug your own code and research problems. For that reason, rather than posting the solution, I reply with tips and hints on how to find the solution yourself. See below for useful links when you get stuck.

How to Get Good Help: How to Ask Questions | Don't be a help vampire
Debugging Your Code: Debugging your SQL | What does a php function do? | What does a term mean? | Don't see any errors?
Things You Should Do: Normalize Your Data | use print_r() or var_dump()
Lulz: "Functions should not have side effects." - trq

Please take a look at my new PHP/Web Dev blog: The Web Mason - Thanks!!

#2 XenoPhage

XenoPhage
  • Members
  • PipPipPip
  • Advanced Member
  • 99 posts

Posted 08 March 2006 - 09:27 PM

[!--quoteo(post=352953:date=Mar 8 2006, 03:00 PM:name=jesirose)--][div class=\'quotetop\']QUOTE(jesirose @ Mar 8 2006, 03:00 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Hi :) Right now I have a few functions I am using for when a user submits info, which strip out anything that could be dangerous. Is there anything else I need to add, or do they look okay as is?

Here are two of them:

function safe_POST($item){
    $item = mysql_real_escape_string(strip_tags($_POST[$item]));
    return $item;
}

function safe_int_GET($item){
    $item = intval($_GET[$item]);
    return $item;
}
[/quote]

Well, that's one way to do it.. You can also use preg_match() to ensure that the data is exactly what you're looking for. Then wrap it from there if you need to insert it into a database.
--
[a href=\"http://blog.godshell.com\" target=\"_blank\"]XenoPhage[/a]
[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]Something mysterious is formed, born in the silent void. Waiting alone and unmoving, it is at once still and yet in constant motion. It is the source of all programs. I do not know its name, so I will call it the Tao of Programming.[/quote]

#3 lessthanthree

lessthanthree
  • Members
  • PipPipPip
  • Advanced Member
  • 85 posts
  • LocationUK

Posted 08 March 2006 - 09:36 PM

just to add.

If you're expecting numbers as well as using intval you could use is_numeric()
call me a safe bet, i'm betting i'm not

#4 Jessica

Jessica
  • Staff Alumni
  • This is not my name.
  • 8,982 posts
  • LocationDallas, TX
  • Age:26

Posted 08 March 2006 - 09:40 PM

[!--quoteo(post=353011:date=Mar 8 2006, 03:36 PM:name=lessthanthree)--][div class=\'quotetop\']QUOTE(lessthanthree @ Mar 8 2006, 03:36 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
just to add.

If you're expecting numbers as well as using intval you could use is_numeric()
[/quote]

Why would I do that? Doesn't that just find out if it is a number, wheras intval returns the numeric value? Can you explain the value of checking if it's a number? Thanks :)
My goal in replying to posts is to help you become a better programmer, including learning how to debug your own code and research problems. For that reason, rather than posting the solution, I reply with tips and hints on how to find the solution yourself. See below for useful links when you get stuck.

How to Get Good Help: How to Ask Questions | Don't be a help vampire
Debugging Your Code: Debugging your SQL | What does a php function do? | What does a term mean? | Don't see any errors?
Things You Should Do: Normalize Your Data | use print_r() or var_dump()
Lulz: "Functions should not have side effects." - trq

Please take a look at my new PHP/Web Dev blog: The Web Mason - Thanks!!

#5 lessthanthree

lessthanthree
  • Members
  • PipPipPip
  • Advanced Member
  • 85 posts
  • LocationUK

Posted 08 March 2006 - 09:44 PM

The only real advantage it has over intval is that if you are definitely expecting a number you can use something like

if(!is_numeric($_GET["id"]) //print some kind of error.

Which can quite often be useful as it is therefore obvious that characters have been submitted. This would not be apparent using intval()
call me a safe bet, i'm betting i'm not

#6 XenoPhage

XenoPhage
  • Members
  • PipPipPip
  • Advanced Member
  • 99 posts

Posted 08 March 2006 - 09:45 PM

[!--quoteo(post=353016:date=Mar 8 2006, 04:40 PM:name=jesirose)--][div class=\'quotetop\']QUOTE(jesirose @ Mar 8 2006, 04:40 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Why would I do that? Doesn't that just find out if it is a number, wheras intval returns the numeric value? Can you explain the value of checking if it's a number? Thanks :)
[/quote]

Well, if you're expecting a number, and someone submits a character, is_numeric will make that apparent...

I generally do checks like this :

if (preg_match('/^\w+$/', $_REQUEST['variable'])) {
   $myvar = $_REQUEST['variable'];
} else {
   // Either warn the user or fall back to a "default"
}

That would be for a text value containing any alphanumeric character including _ ... You can obviously change the regex to something else as needed.
--
[a href=\"http://blog.godshell.com\" target=\"_blank\"]XenoPhage[/a]
[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]Something mysterious is formed, born in the silent void. Waiting alone and unmoving, it is at once still and yet in constant motion. It is the source of all programs. I do not know its name, so I will call it the Tao of Programming.[/quote]

#7 Jessica

Jessica
  • Staff Alumni
  • This is not my name.
  • 8,982 posts
  • LocationDallas, TX
  • Age:26

Posted 08 March 2006 - 09:46 PM

[!--quoteo(post=353022:date=Mar 8 2006, 03:44 PM:name=lessthanthree)--][div class=\'quotetop\']QUOTE(lessthanthree @ Mar 8 2006, 03:44 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
The only real advantage it has over intval is that if you are definitely expecting a number you can use something like

if(!is_numeric($_GET["id"]) //print some kind of error.

Which can quite often be useful.
[/quote]

Okay great, thanks :) I will remember that one.
My goal in replying to posts is to help you become a better programmer, including learning how to debug your own code and research problems. For that reason, rather than posting the solution, I reply with tips and hints on how to find the solution yourself. See below for useful links when you get stuck.

How to Get Good Help: How to Ask Questions | Don't be a help vampire
Debugging Your Code: Debugging your SQL | What does a php function do? | What does a term mean? | Don't see any errors?
Things You Should Do: Normalize Your Data | use print_r() or var_dump()
Lulz: "Functions should not have side effects." - trq

Please take a look at my new PHP/Web Dev blog: The Web Mason - Thanks!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users